P
US9736172B2ActiveUtilityPatentIndex 71

Signature-free intrusion detection

Assignee: GARG SACHINPriority: Sep 12, 2007Filed: Sep 12, 2007Granted: Aug 15, 2017
Est. expirySep 12, 2027(~1.2 yrs left)· nominal 20-yr term from priority
Inventors:GARG SACHINSINGH NAVJOTADHIKARI AKSHAYWU YU-SUNG
H04L 63/0254H04L 63/1416
71
PatentIndex Score
5
Cited by
109
References
13
Claims

Abstract

An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems, without the use of an attack signature database. In particular, the illustrative embodiment is based on the observation that some VoIP-related protocols (e.g., the Session Initiation Protocol [SIP], etc.) are simple enough to be represented by a finite-state machine (FSM) of compact size. A finite-state machine is maintained for each session/node/protocol combination, and any illegal state or state transition—which might be the result of a malicious attack—is flagged as a potential intrusion.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 receiving, by an intrusion detection system, a first signal that indicates that a first communications protocol at a first node is in a state p, wherein the first communications protocol includes one or more states; 
 maintaining, by the intrusion detection system, a first finite-state machine that is associated with the first node, wherein the first finite-state machine includes one or more states, each state of the first finite-state machine corresponding to a respective allowed state of the first communications protocol, wherein the intrusion detection system updates a current state f of the first finite-state machine in response to messages received by and transmitted by the first node, and wherein the current state f of the first finite-state machine corresponds to one of the respective allowed states of the first communications protocol; and 
 generating, by the intrusion detection system, a second signal that generates an intrusion alert when the current state f of the first finite-state machine is incompatible with the state p. 
 
     
     
       2. The method of  claim 1 , wherein the second signal is generated without any attempt to match an attack signature. 
     
     
       3. The method of  claim 1 , further comprising blocking, by the intrusion detection system, a subsequent message from reaching its destination in response to the generation of the second signal. 
     
     
       4. The method of  claim 1 , wherein the intrusion detection system comprises the first node. 
     
     
       5. The method of  claim 1 , further comprising:
 maintaining, by the intrusion detection system, a second finite-state machine that is associated with a second node, wherein the second finite-state machine includes one or more states, each state of the second finite-state machine corresponding to a respective allowed state of the second communications protocol, wherein the intrusion detection system updates a current state of the second finite-state machine in response to messages received by and transmitted by the second node, and wherein the current state of the second finite-state machine corresponds to one of the respective allowed states of the second communications protocol; and 
 generating, by the intrusion detection system, a third signal that indicates a possible intrusion at the second node when the current state of the second finite-state machine is incompatible with a state of the second communications protocol. 
 
     
     
       6. The method of  claim 5 , wherein the third signal is generated without any attempt to match an attack signature. 
     
     
       7. The method of  claim 5 , further comprising blocking, by the intrusion detection system, a subsequent message from reaching its destination in response to the generation of the third signal. 
     
     
       8. The method of  claim 5 , wherein a change in the state of the second communications protocol is engendered by one of a message transmitted by the second node or a message directed to the second node. 
     
     
       9. A method comprising:
 receiving, by an intrusion detection system, a first signal that indicates that a communications protocol at a node has transitioned from a state p 1  to a state p 2 ; 
 maintaining, by the intrusion detection system, a finite-state machine that is associated with the node and that represents the communications protocol, each state of the finite-state machine corresponding to a respective allowed state of the communications protocol, wherein the intrusion detection system updates a current state f of the finite-state machine as necessary in response to messages received by and transmitted by the node, and wherein the current state f of the finite-state machine corresponds to one of the respective allowed states of the communications protocol; and 
 when the state p 2  is incompatible with the current state f generating, by the intrusion detection system, a second signal that generates an intrusion alert at the node. 
 
     
     
       10. The method of  claim 9 , wherein the second signal is generated without any attempt to match an attack signature. 
     
     
       11. The method of  claim 9 , further comprising blocking, by the intrusion detection system, a subsequent message from reaching its destination in response to the generation of the second signal. 
     
     
       12. The method of  claim 9 , wherein the intrusion detection system comprises the node. 
     
     
       13. The method of  claim 9 , wherein the transition from the state p 1  to the state p 2  is engendered by a message transmitted by the node.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.